CVE-2025-14708
Published: 15 December 2025
Summary
CVE-2025-14708 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Sgwbox N3 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the 'params' argument in the WIREDCFGGET interface to prevent buffer overflow exploitation from malformed inputs.
Implements memory protections such as ASLR, stack canaries, and DEP to mitigate arbitrary code execution resulting from the buffer overflow vulnerability.
Enforces boundary protection to monitor and control remote network access to the vulnerable /usr/sbin/http_eshell_server, blocking unauthenticated exploitation attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in public-facing HTTP service (http_eshell_server, WIREDCFGGET interface) allows remote unauthenticated arbitrary code execution, directly mapping to exploitation of public-facing applications.
NVD Description
A weakness has been identified in Shiguangwu sgwbox N3 2.0.25. Affected by this vulnerability is an unknown functionality of the file /usr/sbin/http_eshell_server of the component WIREDCFGGET Interface. Executing manipulation of the argument params can lead to buffer overflow. The attack…
more
may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-14708 is a buffer overflow vulnerability (CWE-119, CWE-120) in Shiguangwu sgwbox N3 version 2.0.25. The flaw affects an unknown functionality in the /usr/sbin/http_eshell_server file of the WIREDCFGGET Interface, where manipulation of the "params" argument triggers the overflow. Published on 2025-12-15, it carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.
Attackers can exploit this vulnerability remotely over the network without authentication, privileges, or user interaction (AV:N/AC:L/PR:N/UI:N/S:U). Successful exploitation grants high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution. A public exploit is available, increasing the risk of widespread abuse.
VulDB advisories, which serve as the primary disclosure sources, detail the issue but note that the vendor was contacted early without any response, implying no patches or official mitigations are available. Additional references include VulDB submission pages and a Notion document summarizing the sgwbox NAS N3 buffer overflow.
Details
- CWE(s)